The kernel packages contain the Linux kernel, the core of any Linuxoperating system.

Security fixes:

* when fput() was called to close a socket, the __scm_destroy() function inthe Linux kernel could make indirect recursive calls to itself. This could,potentially, lead to a denial of service issue. (CVE-2008-5029, Important)

* the sendmsg() function in the Linux kernel did not block during UNIXsocket garbage collection. This could, potentially, lead to a local denialof service. (CVE-2008-5300, Important)

* the exit_notify() function in the Linux kernel did not properly reset theexit signal if a process executed a set user ID (setuid) application beforeexiting. This could allow a local, unprivileged user to elevate theirprivileges. (CVE-2009-1337, Important)

* a flaw was found in the Intel PRO/1000 network driver in the Linuxkernel. Frames with sizes near the MTU of an interface may be split acrossmultiple hardware receive descriptors. Receipt of such a frame could leakthrough a validation check, leading to a corruption of the length check. Aremote attacker could use this flaw to send a specially-crafted packet thatwould cause a denial of service or code execution. (CVE-2009-1385,Important)

* the ADDR_COMPAT_LAYOUT and MMAP_PAGE_ZERO flags were not cleared when asetuid or setgid program was executed. A local, unprivileged user could usethis flaw to bypass the mmap_min_addr protection mechanism and perform aNULL pointer dereference attack, or bypass the Address Space LayoutRandomization (ASLR) security feature. (CVE-2009-1895, Important)

* it was discovered that, when executing a new process, the clear_child_tidpointer in the Linux kernel is not cleared. If this pointer points to awritable portion of the memory of the new program, the kernel could corruptfour bytes of memory, possibly leading to a local denial of service orprivilege escalation. (CVE-2009-2848, Important)

* missing initialization flaws were found in getname() implementations inthe IrDA sockets, AppleTalk DDP protocol, NET/ROM protocol, and ROSEprotocol implementations in the Linux kernel. Certain data structures inthese getname() implementations were not initialized properly before beingcopied to user-space. These flaws could lead to an information leak.(CVE-2009-3002, Important)

* a NULL pointer dereference flaw was found in each of the followingfunctions in the Linux kernel: pipe_read_open(), pipe_write_open(), andpipe_rdwr_open(). When the mutex lock is not held, the i_pipe pointer couldbe released by other processes before it is used to update the pipe'sreader and writer counters. This could lead to a local denial of service orprivilege escalation. (CVE-2009-3547, Important)

Bug fixes:

* this update adds the mmap_min_addr tunable and restriction checks to helpprevent unprivileged users from creating new memory mappings below theminimum address. This can help prevent the exploitation of NULL pointerdereference bugs. Note that mmap_min_addr is set to zero (disabled) bydefault for backwards compatibility. (BZ#512642)

* a bridge reference count problem in IPv6 has been fixed. (BZ#457010)

* the gcc flag "-fno-delete-null-pointer-checks" was added to the kernelbuild options. This prevents gcc from optimizing out NULL pointer checksafter the first use of a pointer. NULL pointer bugs are often exploited byattackers. Keeping these checks is a safety measure. (BZ#511185)

* a check has been added to the IPv4 code to make sure that rt is not NULL,to help prevent future bugs in functions that call ip_append_data() frombeing exploitable. (BZ#520300)

Users should upgrade to these updated packages, which contain backportedpatches to correct these issues. The system must be rebooted for thisupdate to take effect.

4. Solution:

Before applying this update, make sure that all previously-releasederrata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to usethe Red Hat Network to apply this update are available athttp://kbase.redhat.com/faq/docs/DOC-11259